How Microsoft Dogfoods System Center Configuration Manager

Microsoft uses System Center Configuration Manager (SCCM) to manage 300,000 PCs across its own facilities worldwide, a Microsoft executive revealed this month.

That figure came from Kelly Pranghofer, who oversees Microsoft's internal SCCM use. Pranghofer, along with Brad Anderson, Microsoft corporate vice president for Enterprise Mobility, was a guest in two Microsoft-produced podcasts this month that focused on how Microsoft uses SCCM to deploy and test the software it produces.

Microsoft regularly uses its SCCM product to deploy software patches across the company's facilities prior to the release of its public "patch Tuesday" security updates each month, according to Pranghofer and Anderson. Pranghofer said that of the 300,000 Microsoft PCs that are managed by SCCM, about 70 percent are Windows 8.1 deployments. About 13 percent to 14 percent of that total represents machines running Windows Server.

Microsoft's goal when releasing its patch software internally, prior to patch Tuesday public releases, is to hit 98 percent of its 300,000 PCs over a period of seven days, Pranghofer explained. The company has five primary sites around the world for its software patching, along with 12 or 13 secondary sites, plus 350 distribution servers.

For each patch release deployment, the team deploys to about 10,000 PCs initially, which allows them to check for any problems. Microsoft permits this initial test group to suppress reboots for up to seven days, after which the change takes effect. The goal is to get 98 percent compliance from such rollouts.

In addition to testing software patches in advance of public release by simply delivering them down to employees' machines, the team deploys and uses prerelease versions of SCCM software. Pranghofer explained during the talk that Microsoft has already deployed "Service Pack 2" across the company. Presumably he was referring to System Center 2012 R2 SP2, which isn't available publicly, nor is SP1. He said that the deployment of SP2 took place over a single weekend, adding that organizations can deploy new System Center software quickly if they want to do so, although many would typically take months to do it.

On the mobile side, Microsoft currently has 30,000 devices under management. Of that total, 65 percent to 75 percent are Windows Phone devices. However, Pranghofer noted that Microsoft is permissive about allowing its employees to use non-Microsoft devices, including iOS- and Android-based devices.

Microsoft's wireless network for employees is split into two parts: one that connects to the public Internet and another that connects to the corporate network. Accessing the corporate Wi-Fi network requires a device to have a certificate and be managed via Microsoft Intune, Pranghofer said. Accessing the virtual private network at Microsoft requires that a device have a certificate and pass a multifactor authentication test.

Pranghofer said that in the next couple of months, Microsoft is going to require "conditional access" for its devices. With the conditional access approach, a device has to meet certain requirements and be managed in order for network access to be granted.

Anderson and Pranghofer concluded their discussion by asserting that SCCM has gone beyond being a patch management tool. It's becoming more of a core critical business system for Microsoft, they contended.

Pranghofer said he has overseen Microsoft's internal SCCM practices since 2005. Anderson noted that Microsoft recently moved its System Center team out of the IT department and into the engineering team and Pranghofer noted that this shift has helped the SCCM team to better address scale issues with its management tools, as well as circumstances where there might be some feature gaps.

Part 1 of the podcast can be accessed here, with Part 2 at this page. Each podcast is about 12 minutes long.